Published:2025/04/01 Last Updated:2025/04/01
JVN#87266215
WordPress plugin "Welcart e-Commerce" vulnerable to untrusted data deserialization
Overview
WordPress plugin "Welcart e-Commerce" provided by Welcart Inc. contains an untrusted data deserialization vulnerability.
Products Affected
- Welcart e-Commerce 2.11.6 and earlier versions
Description
WordPress plugin "Welcart e-Commerce" provided by Welcart Inc. contains an untrusted data deserialization vulnerability (CWE-502).
Impact
Arbitrary code may be executed by a remote unauthenticated attacker who can access websites created using the product.
Solution
Update the plugin
Update the plugin according to the information provided by the developer.
The developer has released the following version to address this vulnerability.
- Welcart e-Commerce 2.11.12
Vendor Status
| Vendor | Status | Last Update | Vendor Notes |
|---|---|---|---|
| Welcart Inc. | Vulnerable | 2025/04/01 | Welcart Inc. website |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
CVSS v3
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
Base Score:
6.3
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
Credit
Hiroshi Sawada of CrowdStrike Holdings, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2025-27130 |
| JVN iPedia |
JVNDB-2025-000023 |